Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork32.4k
[CVE-2023-27043] gh-102988: Reject malformed addresses in email.parseaddr()#111116
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
@gpshead@serhiy-storchaka@bitdancer@warsaw: Would you mind to review this security fix? See issuegh-102988 for the context. This PR is a copy of PR#108250 but I added strict=True parameter, so it's possible to get the old behavior. I added tests on both modes, strict=True and strict=False. |
My colleague Lumir Balhar@frenzymadness ran an impact check of PR#108250 on Fedora: in short, there is no impact, the test suite of all Python packages (in Fedora) pass with the change. While there were some build errors, they were unrelated to the email issue. For details, seehttps://copr.fedorainfracloud.org/coprs/lbalhar/email-CVE/builds/ COPR which as more than 4300 builds. Now with an additionalstrict parameter,if there is any impacted project, at least there is a way to "opt out". |
@tdwyer: Would you mind to review my change, to see if I preserved your work correctly? (code and tests) |
I think that we should backport the change to all branches accepting security fixes. Problem: the change refer to version numbers, which as |
@ambv@SethMichaelLarson: Would you mind to review this PR? |
Why is this a separate PR from#108250? |
Doc/whatsnew/3.13.rst Outdated
| @@ -165,7 +165,7 @@ email | |||
| encountered instead of potentially inaccurate values. Add optional *strict* | |||
| parameter to these two functions: use ``strict=False`` to get the old | |||
| behavior, accept malformed inputs. | |||
| (Contributed by Thomas Dwyer for :gh:`102988` toameliorate CVE-2023-27043 | |||
| (Contributed by Thomas Dwyer for :gh:`102988` toimprove the CVE-2023-27043 | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
TIL a new word.
Lib/email/utils.py Outdated
| @@ -42,6 +42,8 @@ | |||
| specialsre = re.compile(r'[][\\()<>@,:;".]') | |||
| escapesre = re.compile(r'[\\"]') | |||
| realname_comma_re = re.compile(r'"[^"]*,[^"]*"') | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
| realname_comma_re=re.compile(r'"[^"]*,[^"]*"') | |
| realname_comma_re=re.compile(r'"[^",]*+,[^"]*+"') |
It is faster. But I am not sure that the use of such regex is correct.
Lib/email/utils.py Outdated
| def _pre_parse_validation(email_header_fields): | ||
| accepted_values = [] | ||
| for v in email_header_fields: | ||
| s = v.replace('\\(', '').replace('\\)', '') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
But what if that backslash was already escaped with a backslash? For example\\) or\\\\).
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
I'm not the author of the other PR. I copied the other PR and added strict parameter. |
I'm not the author of this PR and I was able to make commits to it. |
I don't feel comfortable to make significant change of a PR without asking the author. I prefer to create a separated PR and ask for review. |
vstinner commentedOct 30, 2023 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
Is this behavior a bug or a feature? I don't know how |
Oh. getaddresses() expects a sequence, not a string :-) |
Except of The latestmajor change was done in... 1997 with commitbe7c45e
The latestminor change was done in 2019 to fixCVE-2019-16056: commit8cb65d1 of issue#78336. |
Oh, realname_comma_re replaces |
Email addresses have multiple standards:
|
Sorry,@vstinner, I could not cleanly backport this to |
Sorry,@vstinner, I could not cleanly backport this to |
Sorry,@vstinner, I could not cleanly backport this to |
Sorry,@vstinner, I could not cleanly backport this to |
…n email.parseaddr() (pythonGH-111116)Detect email address parsing errors and return empty tuple toindicate the parsing error (old API). Add an optional 'strict'parameter to getaddresses() and parseaddr() functions. Patch byThomas Dwyer.Co-Authored-By: Thomas Dwyer <github@tomd.tel>(cherry picked from commit4a153a1)
…n email.parseaddr() (pythonGH-111116)Detect email address parsing errors and return empty tuple toindicate the parsing error (old API). Add an optional 'strict'parameter to getaddresses() and parseaddr() functions. Patch byThomas Dwyer.(cherry picked from commit4a153a1)Co-authored-by: Victor Stinner <vstinner@python.org>Co-Authored-By: Thomas Dwyer <github@tomd.tel>
…n email.parseaddr() (pythonGH-111116)Detect email address parsing errors and return empty tuple toindicate the parsing error (old API). Add an optional 'strict'parameter to getaddresses() and parseaddr() functions. Patch byThomas Dwyer.Co-Authored-By: Thomas Dwyer <github@tomd.tel>(cherry picked from commit4a153a1)
GH-123766 is a backport of this pull request to the3.12 branch. |
…n email.parseaddr() (pythonGH-111116)Detect email address parsing errors and return empty tuple toindicate the parsing error (old API). Add an optional 'strict'parameter to getaddresses() and parseaddr() functions. Patch byThomas Dwyer.(cherry picked from commit4a153a1)Co-authored-by: Victor Stinner <vstinner@python.org>Co-Authored-By: Thomas Dwyer <github@tomd.tel>
GH-123767 is a backport of this pull request to the3.11 branch. |
…n email.parseaddr() (pythonGH-111116)Detect email address parsing errors and return empty tuple toindicate the parsing error (old API). Add an optional 'strict'parameter to getaddresses() and parseaddr() functions. Patch byThomas Dwyer.(cherry picked from commit4a153a1)Co-authored-by: Victor Stinner <vstinner@python.org>Co-Authored-By: Thomas Dwyer <github@tomd.tel>
GH-123768 is a backport of this pull request to the3.10 branch. |
…l.parseaddr() (GH-111116) (#123766)Detect email address parsing errors and return empty tuple toindicate the parsing error (old API). Add an optional 'strict'parameter to getaddresses() and parseaddr() functions. Patch byThomas Dwyer.Co-Authored-By: Thomas Dwyer <github@tomd.tel>(cherry picked from commit4a153a1)Co-authored-by: Victor Stinner <vstinner@python.org>
…l.parseaddr() (GH-111116) (#123767)Detect email address parsing errors and return empty tuple toindicate the parsing error (old API). Add an optional 'strict'parameter to getaddresses() and parseaddr() functions. Patch byThomas Dwyer.(cherry picked from commit4a153a1)Co-authored-by: Victor Stinner <vstinner@python.org>Co-authored-by: Thomas Dwyer <github@tomd.tel>
… email.parseaddr() (pythonGH-111116)Detect email address parsing errors and return empty tuple toindicate the parsing error (old API). Add an optional 'strict'parameter to getaddresses() and parseaddr() functions. Patch byThomas Dwyer.(cherry picked from commit4a153a1)Co-authored-by: Victor Stinner <vstinner@python.org>Co-Authored-By: Thomas Dwyer <github@tomd.tel>
GH-123769 is a backport of this pull request to the3.9 branch. |
… email.parseaddr() (pythonGH-111116)Detect email address parsing errors and return empty tuple toindicate the parsing error (old API). Add an optional 'strict'parameter to getaddresses() and parseaddr() functions. Patch byThomas Dwyer.(cherry picked from commit4a153a1)Co-authored-by: Victor Stinner <vstinner@python.org>Co-Authored-By: Thomas Dwyer <github@tomd.tel>
GH-123770 is a backport of this pull request to the3.8 branch. |
….parseaddr() (GH-111116) (#123769)Detect email address parsing errors and return empty tuple toindicate the parsing error (old API). Add an optional 'strict'parameter to getaddresses() and parseaddr() functions. Patch byThomas Dwyer.(cherry picked from commit4a153a1)Co-authored-by: Victor Stinner <vstinner@python.org>Co-Authored-By: Thomas Dwyer <github@tomd.tel>
….parseaddr() (GH-111116) (#123770)Detect email address parsing errors and return empty tuple toindicate the parsing error (old API). Add an optional 'strict'parameter to getaddresses() and parseaddr() functions. Patch byThomas Dwyer.(cherry picked from commit4a153a1)Co-authored-by: Victor Stinner <vstinner@python.org>Co-Authored-By: Thomas Dwyer <github@tomd.tel>
…l.parseaddr() (GH-111116) (#123768)Detect email address parsing errors and return empty tuple toindicate the parsing error (old API). Add an optional 'strict'parameter to getaddresses() and parseaddr() functions. Patch byThomas Dwyer.(cherry picked from commit4a153a1)Co-authored-by: Victor Stinner <vstinner@python.org>Co-Authored-By: Thomas Dwyer <github@tomd.tel>
…n email.parseaddr() (python#111116)Detect email address parsing errors and return empty tuple toindicate the parsing error (old API). Add an optional 'strict'parameter to getaddresses() and parseaddr() functions. Patch byThomas Dwyer.Co-Authored-By: Thomas Dwyer <github@tomd.tel>
|
please open a new issue if there's a lingering docs problem. |
…n email.parseaddr() (python#111116)Detect email address parsing errors and return empty tuple toindicate the parsing error (old API). Add an optional 'strict'parameter to getaddresses() and parseaddr() functions. Patch byThomas Dwyer.Co-Authored-By: Thomas Dwyer <github@tomd.tel>
Uh oh!
There was an error while loading.Please reload this page.
Detect email address parsing errors and return empty tuple to indicate the parsing error (old API). Add an optional 'strict' parameter to getaddresses() and parseaddr() functions. Patch by Thomas Dwyer.
📚 Documentation preview 📚:https://cpython-previews--111116.org.readthedocs.build/